unknownFiles.php — Wordfence Security – Firewall, Malware Scan, and Login Security 6.1.3

wordfence / lib / unknownFiles.php

wordfence / lib Last commit date

unknownFiles.php

158 lines

1	<?php if(! wfUtils::isAdmin()){ exit(); } ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2	<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
3	<head>
4	<title>Files found that don't belong to WordPress Core or known Themes and Plugins</title>
5	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
6	<link rel='stylesheet' id='wordfence-main-style-css' href='<?php echo wfUtils::getBaseURL(); ?>/css/diff.css?ver=<?php echo WORDFENCE_VERSION; ?>' type='text/css' media='all' />
7	<body>
8	<h1>Wordfence: Files found that don't belong to WordPress Core or known Themes and Plugins.</h1>
9	<?php
10	$path = ABSPATH;
11	$fileList = wfConfig::get('lastUnknownFileList');
12	if($fileList){
13	?>
14	<p style="width: 700px; margin-top: 20px;">
15	<b>Please note:</b> To use this utility, you must enable scanning of Core, Theme and Plugin files on the Wordfence options page.
16	<?php if(! wfConfig::get('scansEnabled_themes')){ echo '<span style="color: #F00;">Theme scanning is currently disabled.</span> '; } ?>
17	<?php if(! wfConfig::get('scansEnabled_plugins')){ echo '<span style="color: #F00;">Plugin scanning is currently disabled.</span> '; } ?>
18	<?php if( (!wfConfig::get('scansEnabled_plugins')) \|\| (!wfConfig::get('scansEnabled_themes')) ){ echo 'You can visit the Wordfence "options" page to enable theme or plugin scanning.'; } ?>
19
20	If you don't have core, theme and plugin scanning enabled, then the list below will not be very useful because Wordfence won't recognize known core, theme and plugin files.
21	If you have the option enabled to "Scan files outside your WordPress installation" enabled, then you may find that this list is very long because it will include files in all your directories.
22	<br /><br />
23	<b>What is in this list:</b>
24	When Wordfence does a scan, it separates files on your system into two lists. The first list is files that belong to WordPress Core or a known theme or plugin. The second list is all other files.
25	<br /><br />
26	If a <b>file belongs to WordPress Core or a known theme or plugin</b>, we do an integrity check and let you know if it has been modified.
27	The integrity check we do on known Core, theme and plugin files is a very reliable way to detect compromised files. It is impossible as far as we know for a hacker to fool this scan
28	because we are comparing your files to known originals on our secure scanning servers. If the file is modified, we let you know with a warning or critical alert in the scan results.
29	<br /><br />
30	If the file <b>does not belong to WordPress Core or a known theme or plugin</b>, we scan it for security problems.
31	We have a pretty good detection rate for this second scan, but for very advanced or sneaky attacks our admin's sometimes prefer to examine these files by hand.
32	If you would like to look at these non-integrity checked files, we provide you with the list below. You can click on any file to view the contents and see if it has been hacked.
33	<br /><br />
34	<b>Files that you will find in this list are:</b>
35	<ul>
36	<li>Files belonging to commercial themes that are not in the open source WordPress theme repository</li>
37	<li>Files belonging to commercial plugins that are not in the open source WordPress repository</li>
38	<li>Files created by themes or plugins</li>
39	<li>Files created by you on your WordPress installation by uploading them through WordPress or a utility like FTP or SFTP</li>
40	<li>Files that a hacker put on your system to create a back-door, distribute spam or for another nefarious purpose.</li>
41	</ul>
42	<b>How to use this list to clean your system if it is infected:</b>
43	<ul>
44	<li>First sort by most recently modified files by clicking the "Last Modified" column. You may have to click it twice.</li>
45	<li>Examine recently modified files by clicking them to view the file and check if it is infected. This is often the most reliable way to find an infection.</li>
46	<li>Then sort by "Full File Path" and look at files that aren't one of your custom themes or plugins.</li>
47	<li>Note that custom themes and plugins live in the /wp-content/themes/ and /wp-content/plugins directories.</li>
48	<li>Then start going through your themes and plugins to see if they are infected.</li>
49	</ul>
50	</p>
51	<h2 style="margin-top: 30px;">Files that don't belong to WordPress Core, or to a theme or plugin in the WordPress Repository:</h2>
52
53
54	<?php
55	$files = array();
56	while(strlen($fileList) > 0){
57	$filenameLen = unpack('n', substr($fileList, 0, 2));
58	$filenameLen = $filenameLen[1];
59	if($filenameLen > 1000 \|\| $filenameLen < 1){
60	continue;
61	}
62	$file = substr($fileList, 2, $filenameLen);
63	$fileList = substr($fileList, 2 + $filenameLen);
64	$fullFile = $path . $file;
65	if(! file_exists($fullFile)){
66	continue;
67	}
68	$fileExt = '';
69	if(preg_match('/\.([a-zA-Z\d\-]{1,7})$/', $file, $matches)){
70	$fileExt = strtolower($matches[1]);
71	}
72	$isPHP = false;
73	if(preg_match('/^(?:php\|phtml\|php\d+)$/', $fileExt)){
74	$isPHP = true;
75	}
76	// http://test3.com/?_wfsf=view&nonce=c1ad72bcbd&file=wp-content%2Fplugins%2Fwordfence%2Flib%2Fmenu_options.php
77	$viewLink = wfUtils::siteURLRelative() . '?_wfsf=view&nonce=' . wp_create_nonce('wp-ajax') . '&file=' . urlencode($file);
78	$stat = stat($fullFile);
79	if(function_exists('posix_getpwuid')){
80	$owner = posix_getpwuid($stat['uid']);
81	$owner = $owner['name'];
82	} else {
83	$owner = "unknown";
84	}
85	if(function_exists('posix_getgrgid')){
86	$group = posix_getgrgid($stat['gid']);
87	$group = $group['name'];
88	} else {
89	$group = 'unknown';
90	}
91	$perms = substr(sprintf('%o', fileperms($fullFile)), -4);
92	$files[] = array($file, $fullFile, $stat['size'], $stat['mtime'], $viewLink, $owner, $group, $perms);
93	}
94	function wfUKFcmp($a, $b){
95	$idx = $_GET['sort'] ? $_GET['sort'] : 2;
96	if($_GET['dir'] == 'rev'){
97	$tmp = $a;
98	$a = $b;
99	$b = $tmp;
100	}
101	$type = 'num';
102	if($idx == 1 \|\| $idx == 5 \|\| $idx == 6 \|\| $idx == 7){
103	$type = 'str';
104	}
105
106	if($a[$idx] == $b[$idx]){
107	return 0;
108	}
109	if($type == 'num'){
110	return ($a[$idx] < $b[$idx]) ? -1 : 1;
111	} else {
112	return strcmp($a[$idx], $b[$idx]);
113	}
114	}
115	usort($files, 'wfUKFcmp');
116
117	$sortLink = wfUtils::siteURLRelative() . '?_wfsf=unknownFiles&nonce=' . wp_create_nonce('wp-ajax') . '&sort=';
118	$sortIDX = $_GET['sort'];
119	if(! $sortIDX){
120	$sortIDX = 2;
121	}
122	$sortDir = $_GET['dir'];
123	if(! $sortDir){
124	$sortDir = 'fwd';
125	}
126	?>
127	<p>
128	All columns are sortable. Click the heading to sort a column. Click again to sort in reverse direction.<br />
129	If you are cleaning a hacked site, start by sorting files by most recently modified and view those files first.
130	</p>
131	<table border="1" cellpadding="2" cellspacing="0">
132	<tr>
133	<th><a href="<?php echo $sortLink; ?>2&dir=<?php echo ($sortIDX == 2 && $sortDir == 'fwd') ? 'rev' : 'fwd'; ?>">File Size in Bytes</a></th>
134	<th><a href="<?php echo $sortLink; ?>3&dir=<?php echo ($sortIDX == 3 && $sortDir == 'fwd') ? 'rev' : 'fwd'; ?>">Last modified</a></th>
135	<th><a href="<?php echo $sortLink; ?>5&dir=<?php echo ($sortIDX == 5 && $sortDir == 'fwd') ? 'rev' : 'fwd'; ?>">Owner<a></th>
136	<th><a href="<?php echo $sortLink; ?>6&dir=<?php echo ($sortIDX == 6 && $sortDir == 'fwd') ? 'rev' : 'fwd'; ?>">Group</a></th>
137	<th><a href="<?php echo $sortLink; ?>7&dir=<?php echo ($sortIDX == 7 && $sortDir == 'fwd') ? 'rev' : 'fwd'; ?>">Permissions</a></th>
138	<th><a href="<?php echo $sortLink; ?>1&dir=<?php echo ($sortIDX == 1 && $sortDir == 'fwd') ? 'rev' : 'fwd'; ?>">Full file path</a></th>
139	</tr>
140	<?php
141	for($i = 0; $i < sizeof($files); $i++){
142	echo '<tr><td>' . wfUtils::formatBytes($files[$i][2]) . '</td><td>' . wfUtils::makeTimeAgo(time() - $files[$i][3]) . ' ago.</td><td>' . $files[$i][5] . '</td><td>' . $files[$i][6] . '</td><td>' . $files[$i][7] . '</td><td><a href="' . $files[$i][4] . '" target="_blank">' . $files[$i][1] . '</a></td></tr>';
143	}
144	echo "</table>";
145	} else {
146	?>
147	<p style="margin: 40px; font-size: 20px;">
148	You either have not completed a scan recently, or there were no files found on your system that are not in the WordPress official repository for Core files, themes and plugins.
149	</p>
150	<?php
151	}
152
153	?>
154
155	<div class="diffFooter">© 2011 to 2015 Wordfence — Visit <a href="http://wordfence.com/">Wordfence.com</a> for help, security updates and more.</div>
156	</body>
157	</html>
158